The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available in Hyper-V Manager when you install the Hyper-V server role. The switch includes programmatically managed and extensible capabilities to connect virtual machines to both virtual networks and the physical network. In addition, Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.

Important

Hyper-V Virtual Switch only supports Ethernet, and does not support any other wired local area network (LAN) technologies, such as Infiniband and Fibre Channel.

The Hyper-V Virtual Switch in Windows Server® 2012 introduces several new features and enhanced capabilities for tenant isolation, traffic shaping, protection against malicious virtual machines, and simplified troubleshooting.

In the following illustration, a Virtual Machine (VM) has a virtual NIC that is connected to the Hyper-V Virtual Switch through a switch port.

The capabilities provided in the Hyper-V Virtual Switch mean that organizations have more options for enforcing tenant isolation, shaping and controlling network traffic, and employing protective measures against malicious virtual machines.

Displaying statistics: A developer at a hosted cloud vendor implements a management package that displays the current state of the Hyper-V virtual switch. The management package can query switch-wide current capabilities, configuration settings, and individual port network statistics using WMI. The status of the switch is then displayed to give administrators a quick view of the state of the switch.

Resource tracking: A hosting company is selling hosting services priced according to the level of membership. Various membership levels include different network performance levels. The administrator allocates resources to meet the SLAs in a manner that balances network availability. The administrator programmatically tracks information such as the current usage of bandwidth assigned, and the number of virtual machine (VM)—assigned virtual machine queue (VMQ) or IOV channels. The same program also periodically logs the resources in use in addition to the per-VM resources assigned for double entry tracking or resources.

Managing the order of switch extensions: An enterprise has installed extensions on their Hyper-V host to both monitor traffic and report intrusion detection. During maintenance, some extensions may be updated causing the order of extensions to change. A simple script program is run to reorder the extensions after updates.

Forwarding extension manages VLAN ID: A major switch company is building a forwarding extension that applies all policies for networking. One element that is managed is virtual local area network (VLAN) IDs. The virtual switch cedes control of the VLAN to a forwarding extension. The switch company’s installation programmatically call a Windows Management Instrumentation (WMI) application programming interface (API) that turns on the transparency, telling the Hyper-V Virtual Switch to pass and take no action on VLAN tags.

ECN marking support: Explicit Congestion Notification (ECN) marking—also known as Data CenterTCP (DCTCP)—enables the physical switch and operating system to regulate traffic flow such that the buffer resources of the switch are not flooded, which results in increased traffic throughput.

Diagnostics: Diagnostics allow easy tracing and monitoring of events and packets through the virtual switch.

The Hyper-V Virtual Switch features described in the previous—Important functionality—section of this topic enable administrators to configure security and isolation options, and monitor traffic in ways not previously provided. The extensible nature of the switch enables ISV to provide an additional layer of customization.

What value does this change add?

The recent increased utilization of virtualization has resulted in many hosting companies placing VMs for multiple clients on the same computer, increasing the need for isolation and protection. While Windows Server 2008 R2 does provide the default protection of MAC spoofing, server releases up through Windows Server 2008 R2 provide only minimal security protection for virtualized network traffic. In Windows Server® 2012, traffic that flows between VMs on the same physical host computer is more secure because of enhancements that protect against malicious virtual machines.

In Windows Server® 2012, the new Hyper-V Virtual Switch provides more security, including functionality that will allow customers to readily monitor and move traffic through the switch. Additionally, the Hyper-V Virtual Switch supports an interface in which ISVs can extend the switch functionality.

Hyper-V Virtual Switch requires a 64-bit processor that includes the following:

Product disk or files for Windows Server® 2012

Physical computer for hosting Windows Server® 2012

Hardware-assisted virtualization. This is available in processors that include a virtualization option—specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.

Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. Specifically, you must enable Intel XD bit or AMD NX.